4 - Mod Security Rules Packages

Docs 09 - Security
1

Starting version 1.6.2 stable you can now enable OWASP and Comodo Mod Security rules via one click.

Navigate to → https://:8090/firewall/modSecRulesPacks

1036×428 10.4 KB

Click the switch and it will turn on OWASP Rules, to verify if OWASP rules are installed successfully, open:

http://example.com/?a=b AND 1=1

You should get 403 Forbidden error, you can also see your ModSecurity Audit logs:

ModSecurity: Warning. detected SQLi using libinjection. [file "/usr/local/lsws/conf/modsec/owasp/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "17"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data:  found within ARGS:a: b AND 1=1"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "dev.cyberpanel.net"] [uri "/"] [unique_id "152317238285.808317"] [ref "v8,9t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:removeComments"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/lsws/conf/modsec/owasp/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "dev.cyberpanel.net"] [uri "/"] [unique_id "152317238285.808317"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/lsws/conf/modsec/owasp/rules/RESPONSE-980-CORRELATION.conf"] [line "61"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack Detected via libinjection'"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "dev.cyberpanel.net"] [uri "/"] [unique_id "152317238285.808317"] [ref ""]

You can notice that rule from REQUEST-949-BLOCKING-EVALUATION.conf is triggered if you disable this file, you will not be getting 403 error.

Disable Rule Files

Once OWASP or Comodo rules are enabled you can also enable or disable individual rule files.

994×503 12.9 KB

2

I have installed the security mod, but when i try to configure i get this page:

AWF
AWF1118×454 42.7 KB

anything i could do?

1 Like
3

image
image1031×212 8.71 KB

same issue mod security not working

1 Like
4

Same issue here, at a brand new installation of version 2.4.4 at Almalinux 9.

/home/cyberpanel/error-logs.txt does not report anything, even with debug mode enabled.

How can we resolve the issue and enable the owasp rules?

5

The same thing happens to me, it stays like that indefinitely and doesn’t load.

6

Screenshot 2025-11-19 080615
Screenshot 2025-11-19 0806152205×431 18 KB

7

I also can agree, its not working. When toggling the OWASP, it looks like its turned on, but nothing happens. When the page is refreshed, its turned off again.

I detected that owasp directory doesn’t exist..This is a fresh install of CyberPanel..

ubuntu@host:~$ sudo ls -l /usr/local/lsws/conf/modsec total 4 -rw-r–r-- 1 root root 100 Nov 23 17:54 rules.conf ubuntu@host:~$ ubuntu@host:~$ sudo ls -l /usr/local/lsws/conf/modsec/owasp-crs ls: cannot access ‘/usr/local/lsws/conf/modsec/owasp-crs’: No such file or directory ubuntu@host:~$

8

Alright, I managed to get OWASP CRS working properly and confirmed it’s just a CyberPanel UI bug.

Fresh CyberPanel installs don’t ship with the owasp-crs folder at all, so the toggle will never stay enabled. You have to create it manually.

Here’s what I did:

sudo mkdir -p /usr/local/lsws/conf/modsec/owasp-crs
cd /usr/local/lsws/conf/modsec/owasp-crs

sudo wget https://github.com/coreruleset/coreruleset/archive/refs/heads/v3.3/master.zip -O crs.zip
sudo apt install unzip
sudo unzip crs.zip
sudo mv coreruleset-*/ rules

# Fix permissions so LSWS can read it
sudo chown -R lsadm:lsadm /usr/local/lsws/conf/modsec/owasp-crs

# Add CRS include lines
sudo nano /usr/local/lsws/conf/modsec/rules.conf

Add these at the bottom if they aren’t already there:

Include /usr/local/lsws/conf/modsec/owasp-crs/crs-setup.conf
Include /usr/local/lsws/conf/modsec/owasp-crs/rules/*.conf

Then restart:
sudo systemctl restart lsws

OWASP CRS loads fine after that (confirmed in the logs), even though the CyberPanel toggle still flips back to OFF. That part is definitely a UI bug and should be fixed by CP team.

Quick test (you should get blocked if CRS is working):
Visit something like:
https://your-domain.com/?test=<script>alert(1)</script>

OWASP will block it even though the toggle still turns OFF.
So CRS works, the UI toggle is the bug.

1 Like